27
Fri, Dec
48 New Articles

How to Lawfully Navigate Social Media Checks in Recruitment

Bulgaria
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In today's digital age, social media has become a ubiquitous presence in our personal and professional lives. For employers, these platforms offer a valuable yet complex tool in the hiring process. While the potential to gather additional insights about job candidates is enticing, it also raises significant legal questions regarding privacy and data protection.

This article explores the legal boundaries surrounding employers' use of social media in the recruitment process, particularly under the framework of the General Data Protection Regulation (GDPR). By gaining this understanding, employers can navigate the recruitment process more effectively, ensuring they respect candidates' privacy while making informed hiring decisions.

Legal Basis for Collection of Information from Job Candidates' Public Social Media Profiles by Employers

The collection of information about job candidates from their publicly accessible social media profiles constitutes personal data processing. Employers can engage in this activity only if they have a legal basis and have duly informed the candidates.

Typically, this processing is grounded in the so-called "legitimate interest" of the employer, acting as a data controller. Legitimate interest is one of the six legal bases allowing for the lawful processing of personal data under the GDPR.

For an employer to claim legitimate interest, they must conduct and document a "balancing test." This involves weighing their legal interests against the rights and freedoms of the data subject (the job candidate), considering the candidate's reasonable expectations. This test must be done before data collection, and its outcome determines whether the employer can lawfully use this basis for processing.

The employer's interest will be justified if the data processing includes only relevant, limited, and necessary information for the recruitment purposes, and it aligns with the candidates' reasonable expectations. This typically involves information about education, professional experience, and other relevant data publicly shared by candidates on professional networks like LinkedIn.

Next, consent can also be an appropriate basis for personal data processing provided that the data subject has a genuine choice to grant or withhold consent without facing negative consequences. If these conditions are not met, the consent is not considered freely given and is therefore invalid.

Given the imbalance of power in the relationship between employer and (future) employee, it is unlikely that the data subject would be able to refuse to give their consent to the employer for data processing without fearing adverse consequences as a result of that refusal (e.g., the risk of their application being rejected and losing the job opportunity). Consequently, the European Data Protection Board finds it problematic for employers to process the personal data of current or future employees based on consent.

Notification Obligations and Right to Object

It is advisable to notify candidates that their social media activity (and on which platforms) will be checked before they enter the recruitment process - for example, by including this information in the privacy notice accompanying the job advertisement. If this has not been done, or if the candidate applies “spontaneously” without there being a published job advertisement, the notice should be provided during the initial contact after receiving the application, before any checks and corresponding data processing begin.

It should be noted that a job candidate can object to checks of their social media activity, and the employer must inform them of this right.

Upon objection, the employer must cease the processing unless they can demonstrate compelling legal grounds that outweigh the candidate’s interests, rights, and freedoms.

Employers should not exclude candidates from the recruitment process for objecting to social media checks. Doing so would excessively infringe upon the candidate's rights and interests. It would be challenging for the employer to justify that no other methods, less intrusive than social media checks, could achieve the same processing purposes.

Data Minimization

The employer has the right to collect only such data that are relevant and limited to what is necessary in relation to the purposes for which they are processed – this is the so-called "data minimization" principle outlined in the GDPR. Collecting information about marital status and personal opinions on various public topics will generally violate this principle, and the employer is not entitled to do so. Moreover, processing such data poses a risk of discrimination in the selection process based on, for example, ethnic origin, religion, or beliefs, as a result of obtaining personal information.

Enforcement and Sanctions

The GDPR has gained notoriety for its stringent sanctions, which can amount to €20 million or 4% of a company's global annual turnover, whichever is higher, underscoring the critical importance of data protection compliance.

So far, based on the publicly available information regarding the practices of data protection authorities in EU member states, no sanctions have been imposed on employers for unlawfully collecting information from candidates' social media profiles.

However, issues related to the lawfulness of such checks by employers (or recruitment agencies) have caught the attention of supervisory authorities, leading to clarifications in various opinions, guidelines, and other documents. For instance, Italy has an approved code of conduct for recruitment agencies, stating that checks should be conducted only on candidates’ profiles in professional networks, and information collection should be limited to relevant professional qualifications.

Key Takeaways

In conclusion, it should be noted that the internet offers employers vast opportunities to access information about candidates that they would not have the right to request during recruitment, such as “sensitive” data about political views, religious beliefs, health status, or sexual orientation. Although the employer does not have the right to use such information, learned for example from a candidate's personal Facebook profile, the hiring decision may still be influenced by it. Therefore, it is important for individuals to be aware that they can have control over the information about them on the internet and to be mindful of the "digital footprint" they leave behind.

When it comes to employers, the integration of social media checks into the recruitment process presents both opportunities and challenges. It is essential for them to navigate this area with caution, adhering to legal requirements and respecting the privacy rights of candidates. 

This article is subject to copyright. It expresses the opinion of the author and should not be considered as a recommendation to take certain actions or legal advice.

By Irena Koleva, Senior Associate, Deloitte Legal